Posted
by
msmash
on Thursday August 24, 2017 @12:20PM
from the please-forgive-us dept.

Taylor Hatmaker, writing for TechCrunch: Responding to privacy concerns, AccuWeather is out with a new version of its iOS app that removes a controversial data sharing behavior. Earlier this week, security researcher Will Strafach called attention to the practice in a post and users took to Twitter to announce their intention to dump the app in droves. "AccuWeather's app employed a Software Development Kit (SDK) from a third party vendor (Reveal Mobile) that inadvertently allowed Wi-Fi router data to be transmitted to this third-party vendor," the company wrote in a statement accompanying the app update. "Once we became aware of this situation we took immediate action to verify the operation and quickly disabled the SDK from the IOS app. Our next step was to update the IOS app and remove Reveal Mobile completely."

Having seen the quality of programming most people put out, the "wtf this library does that?!" line sounds like exactly what happened.

You should see how much asinine shit I go back and un-create when I realize Docker or Ansible or some other such system has capabilities that I'd achieved with poorly-implemented, clunky scripts and clever playbook design. Programmers have it worse: they've got enormous, complex libraries, and they're universally bad at their jobs to the point that the Perl official documentation contained a Hello, World program in 5 lines that was remotely-exploitable--an obvious flaw if you know some obscure facts about how Perl works that even Larry Wall apparently forgot about. (programming r hard)

A lot of people think about programming like "I want to tell the computer to draw a house." No, you want to tell the computer to take a series of sensitive, highly-specific steps resulting in a figure shaped like a house on your screen. When you juggle user input, you have to figure out how that input can affect those steps, and ensure that the broad possibilities all fall into well-defined categories of outcomes, or else you have security vulnerabilities. When you use a third-party library, you're blindly using a pile of code that appears to do the right thing where you're looking, but who knows what it's doing in places you're not looking?

Rather than specifically-engineering each step along the way, programmers generally find a tool that does the job and verify that it produces the right result. That's reasonable enough, and this is what happens.

the Perl official documentation contained a Hello, World program in 5 lines that was remotely-exploitable--an obvious flaw if you know some obscure facts about how Perl works that even Larry Wall apparently forgot about

I would love to see that. Got a link? I tried googling but couldn't come up with anything.

There was this guy [youtube.com] who pulled up a 20-year-old bug in Bugzilla that works because lists are processed by iterating as an expression (e.g. if you do $x = (1, 2, 3, 4, 5), you get $x=1; $=x2; $x=3... and end up with $x=5). As a result, if you put the same entry in a hash twice, you get the second one--and, along with a flaw in DBI, he managed to get admin access to Mozilla's bugzilla.

So everyone whined a lot, and said he's just dumb, and he came back a year later [youtube.com] and (at 21:45) shot a remote code execution

Is there a legitimate reason an application should be able to access your wireless network's name and/or BSSID?

We regularly see complaints from developers that Apple won't give them broad enough access to user data. However, on the face of it, this seems to be a case where an API can get access to data it has no good reason to need access to.

Is there a legitimate reason an application should be able to access your wireless network's name and/or BSSID?

We regularly see complaints from developers that Apple won't give them broad enough access to user data. However, on the face of it, this seems to be a case where an API can get access to data it has no good reason to need access to.

The semi-legitimized reason was to gather location data to tailor the app and provide you with local weather info.

That activity became offensive only because they were caught selling it to a 3rd party.

What I fail to understand is why the hell they didn't just program the app to ask for GPS access. Plenty of other apps do, and consumers happily hand that shit out all day long.

That activity became offensive only because they were caught selling it to a 3rd party.

I disagree. I think it became offensive when the app went out of its way to gather location information after the user specifically and intentionally disabled location information.

We would live in a world seething with wisdom and intelligence if people were actually offended about corporations fucking them over. Laziness, ignorance, and stupidity paint the reality we have instead.

I used this in a home automation app, where having the connection set up as fast as possible adds a lot to the user experience. The app remembers your home's SSID, and when you are on your home wifi it will hit the local address. When you are on LTE or on some other Wifi (different SSID), it'll hit the remote access gateway service.

Sure, another strategy is to just try both connections at once, but I didn't want to hit the remote service when not needed.

The part I don't get is why people use AccuWeather. The National Weather Service has extremely high quality forecasts right there on their web page, and if you visit http://mobile.weather.gov/ [weather.gov] in your iOS device and tap "Share/Add To Home Screen", it's wrapped up behind an icon and "acts" like an app. As a plus, you've already paid for them with your taxes. And they have no privacy violating trackers on their page, not even a google analytics link.

Most importantly, you're not feeding some shitty company who has been trying to make the National Weather Service lock up our public weather data, and who bought and paid for a U.S. senator for exactly that purpose.

I've never tried the mobile.weather.gov so I just checked it out. Yes it has the basic information, but it's not presented nearly as nice as accuweather.

Try to look at the forecast for the next 5 days to see high/low temps. With weather.gov, you need to scroll several screen because the high and low temperatures are each in a big block that takes 1/4 the screen, and your eyes have to wade through the day name, the overall condition name ("mostly sunny", "partly cloudy", etc) and a text description that is

Having a web page isn't very handy to quickly look up the weather. I like having an app that I can add a widget to the notification centre and glance at to see the temperature when my phone is locked. I know that there are, or at least were, apps that let you embed pages as widgets but then I have to buy another app. And Apple limits how much space is shown so if the website doesn't show the information you are after you'll have to unlock the phone to

I mean, maybe I'm just naive, but don't most people just assume that your phones/apps are leaky and not rely on them to say that they're protecting your privacy? I think it's worse that you act based on the assumption that your info is not being collected/transmitted/sold/leaked to others...

You're special. Most people don't give a shit if the app they use makes a note of where they are more accurately than they need to. Because the phone already knows exactly where you are, and people know this, and they assume the information is available. If they gave a shit they'd not use smartphones, or they'd be more careful.

Company look at it... "We can make more money by screwing our customer over""Can we get caught?""Yes bt its remote and need very talented people to find out""Ok do it, we'll handle it if we get caught"

I'm not as surprised as I am a bit confused as to why every tech-related company and their CEO/CIO/COO/CTO decides to do some overbearing data collection secrecy and bury it in a T&S agreement, all-the-while knowingly have a pretty good idea that there is going to be a massive end-user boycott, push-back and the venom that is social media isn't going to propagate it like a pandemic disease?

I'm sure I've seen this movie before like the rest of you --- heck, Plex [bleepingcomputer.com] was just in the news about this, so it's n

I don't know about AccuWeather, but plenty of companies do a cost/benefit calculation to decide whether or not they're going to do something terrible. If they figure that they'll end up making more money than they'll lose when they get caught, then it's full steam ahead.

"Once we became aware of this situation we took immediate action to verify the operation and quickly disabled the SDK from the IOS app. Our next step was to update the IOS app and remove Reveal Mobile completely." - IIRC, they denied it at first.

"Once we became aware the reputable 3rd party discovery of this situation we took immediate action to Deny and obfuscate the operation and quickly cast doubt on the SDK from the IOS app. Our next step was to fess up , go into damage control and claim we did not know and then update the IOS app and remove Reveal Mobile completely"

nothing stops the user from changing the SSID on their home network or owning their own router.

Other than that if you subscribe to home high-speed Internet in a Comcast territory, and you're not renting Comcast's latest gateway, Comcast will inject pop-up ads for its gateway into randomly chosen HTML responses in cleartext HTTP connections that your PCs, tablets, and smartphones make. (Source [consumerist.com]; Source [gizmodo.com]; Source [digitaltrends.com]) Is this a reason to break down and rent Comcast's gateway? Or to boycott sites not available through HTTPS? Or to ditch Comcast and instead pay nearly 100 times more per GB for satellite or home